Legal

Data Protection

Our commitments under the New Zealand Privacy Act 2020, the EU GDPR and the UK GDPR — and the rights you have over your personal information.

This Data Protection Statement complements our Privacy Policy and Security page. It explains the legal framework we operate under, the role DocStow plays when handling your data, and how you can exercise your rights.

1. Who is the data controller?

DocStow Ltd, a company registered in New Zealand, is the data controller for personal information collected through the DocStow Service. Our registered office is in Auckland, New Zealand. You can contact our Privacy Officer at privacy@docstow.com.

2. Legal frameworks we comply with

  • New Zealand Privacy Act 2020 and the thirteen Information Privacy Principles (IPPs).
  • EU General Data Protection Regulation (Regulation (EU) 2016/679) for users located in the European Economic Area.
  • UK GDPR and the Data Protection Act 2018 for users located in the United Kingdom.
  • Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) where applicable to Australian users.

3. Principles we follow

  • Lawfulness, fairness and transparency. We only process data for the purposes you'd reasonably expect and we tell you what we do.
  • Purpose limitation. We collect data only for the specific purposes set out in our Privacy Policy.
  • Data minimisation. We ask for the least amount of information necessary to deliver the Service.
  • Accuracy. We make it easy for you to correct your information at any time.
  • Storage limitation. We don't keep data longer than we need to.
  • Integrity and confidentiality. Encryption, access controls and strict operational practices protect your data — see our Security page.
  • Accountability. We document what we do, why we do it, and we're ready to demonstrate compliance on request.

4. International data transfers

Your primary data is stored in Supabase's Sydney (ap-southeast-2) region. New Zealand has been recognised by the European Commission as providing an adequate level of data protection, so transfers between the EEA and New Zealand do not require additional safeguards. Transfers to Australia (where our hosting is located) are protected by standard contractual clauses with our sub-processors. A small number of transactional sub-processors (Stripe, Resend, OpenAI) may process limited personal data in the United States or Europe; all such transfers are protected by Standard Contractual Clauses or equivalent safeguards approved under the GDPR and UK GDPR.

5. Your rights

You have the following rights over your personal information, and we make it easy to exercise every one of them:

  • Right of access. Request a copy of all personal information we hold about you.
  • Right to rectification. Correct information that is inaccurate or incomplete.
  • Right to erasure ("right to be forgotten"). Delete your account and all associated data. Except for records we are legally required to retain (such as tax invoices), everything will be permanently deleted within 30 days, and backups purged within 90 days.
  • Right to data portability. Export your documents and metadata as a ZIP archive directly from your account settings.
  • Right to object or restrict processing. Object to processing based on legitimate interests or request we restrict processing while a dispute is resolved.
  • Right to withdraw consent. Where processing is based on consent (for example, optional marketing emails or AI-powered extraction), you can withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint. You can complain to the NZ Office of the Privacy Commissioner, your local EU supervisory authority, or the UK Information Commissioner's Office (ICO).

To exercise any of these rights, email privacy@docstow.com. We will respond within 20 working days (NZ Privacy Act 2020) or within one month (GDPR), and always free of charge for reasonable requests.

6. How we handle sensitive information

Some documents you upload — medical records, identity documents, immigration papers — may contain "special category" data under the GDPR or sensitive information under the NZ Privacy Act. We process this data solely to store it for you and help you keep track of it. We never analyse, monetise or share it, and our AI-powered features are strictly opt-in.

7. Data Protection Impact Assessments (DPIAs)

Before we launch a new feature that could materially affect your privacy, we conduct a Data Protection Impact Assessment documenting the risks and the safeguards we've put in place. DPIAs are available to regulators on request.

8. Records of processing activity

We maintain an internal Record of Processing Activities (ROPA) as required by Article 30 of the GDPR. This record is available to supervisory authorities on request.

9. Automated decision-making

DocStow does not make any decisions about you that have legal or similarly significant effects using solely automated means. Our renewal reminders and document classifications are advisory features — the final decision is always yours.

10. Data protection contact

For all data protection matters, please contact:
Privacy Officer, DocStow Ltd
Email: privacy@docstow.com
Post: DocStow Ltd, Privacy Officer, Auckland, New Zealand